Cybersecurity Posture vs. Cybersecurity Theater: What the M&S Ransomware Attack Reveals

Your cybersecurity posture — every tool, process, person, and tested control standing between your business and an attacker — is either a functioning system or it is theater. In April 2025, Marks & Spencer learned that distinction at a cost of tens of millions of pounds. The 140-year-old British retail institution had security tools, vendor relationships, and every reason to take this seriously. A ransomware attack still knocked out online orders, broke supply chains, and sent its stock price into a slide. For any business owner watching from the outside, the right question is not “how did this happen to them?” It is: what is the difference between having cybersecurity and actually being protected? That gap is the most important thing a CEO can understand this year.

What Actually Happened at M&S

The attack on M&S is attributed to a group known as Scattered Spider — a loosely organized collective that has worked through a string of high-profile organizations. Their method was not exotic malware smuggled through an obscure vulnerability. According to reporting by the BBC and corroborated by cybersecurity researchers, the attackers used social engineering — specifically, manipulating IT helpdesk processes to harvest credentials. Once inside, they deployed ransomware that encrypted critical systems and pulled data out the door.

The method matters. This was not a single product failing. It was a failure of process, human verification, and the assumption that tools alone constitute a defense. M&S reportedly suffered tens of millions of pounds in lost revenue, weeks of operational disruption, and reputational damage still being counted. A company that size, with that level of investment, still had a gap wide enough to drive a ransomware attack straight through.

The Gap Between Cybersecurity Posture and Theater

“Cybersecurity posture” gets used loosely, so it is worth being precise. Your cybersecurity posture is the sum total of your defenses — tools, processes, people, training, testing, and governance — that together determine how well you can prevent, detect, and recover from an attack. It is a system. It is not a product you buy once and forget.

Cybersecurity theater, by contrast, is the appearance of protection without the substance. It is the firewall whose rules have not been reviewed in three years. It is the antivirus that generates alerts nobody reads. It is the annual employee training everyone clicks through in four minutes to earn a completion certificate. It is the backup that has never been tested for actual recovery. Organizations running cybersecurity theater are not protected — they are insured against the guilt of not trying, which is a very different thing.

The M&S attack illustrates this gap precisely. The attackers did not need to break through hardened defenses. They found a process — helpdesk identity verification — that looked like a control but was not functioning as one. That is theater. A genuine cybersecurity posture would have included strict, tested identity verification protocols that could not be bypassed with a phone call and a convincing story.

Why This Matters for SMBs, Not Just Large Enterprises

The natural reaction from a small or mid-sized business owner is: “We are not M&S. Attackers are not coming for us.” This is one of the most dangerous assumptions in business today, and the data does not support it. CISA’s StopRansomware Guide makes clear that small businesses are frequently targeted precisely because their defenses are weaker. Attackers operate at scale — they are not handpicking targets based on prestige. They scan for vulnerabilities and walk through the doors that open.

Small businesses also carry a specific risk that M&S does not: fewer redundant systems, thinner cash reserves to absorb disruption, and no dedicated security team to contain an incident while it is happening. When ransomware hits a small business, the impact is not a stock price dip — it can be an existential event. Multiple industry studies have found that a significant percentage of small businesses that suffer a serious ransomware attack do not survive the following twelve months.

The M&S attack is a useful case study not because it happened to a large company, but because it illustrates mechanisms — social engineering, credential theft, lateral movement, encryption of critical systems — that apply just as directly to a 15-person professional services firm in New Jersey as to a retailer with thousands of locations. A weak cybersecurity posture is a liability at any company size.

What a Genuine Cybersecurity Posture Actually Looks Like

If tools alone are not enough, what does genuine protection actually require? A well-run security operation builds defense in layers, and each layer has to function as a real control — not a checkbox.

Identity and access controls that hold under pressure. The M&S attack exploited a weak identity verification process. Real protection means multi-factor authentication on every system, strict protocols for credential resets, and helpdesk procedures that cannot be bypassed through social pressure or a well-rehearsed script. The human layer is as important as the technical one.

Continuous monitoring that someone actually acts on. Most organizations generate security alerts. Far fewer have a process for reviewing, triaging, and responding to those alerts in a window that matters. An alert sitting in a queue for 72 hours is not a defense — it is a log of what went wrong. Monitoring without response is theater, not a cybersecurity posture.

Tested backups with a real recovery plan. A backup system is only as valuable as its ability to restore. A backup that has never been tested for full system recovery is a hypothesis, not a control. Genuine protection means regular recovery drills, documented recovery time targets, and the confidence that comes from having actually run the process.

Security awareness training that changes behavior. Annual click-through training does not change how people respond to a phishing email or a social engineering call. Effective programs are short, frequent, scenario-based, and followed up with simulated attacks that test real responses. The goal is instinct, not completion rates.

Vendor and third-party risk management. A significant share of breaches in recent years trace back to a vendor, contractor, or third-party integration. If your supply chain has access to your systems, their security posture becomes your risk. Understanding who has access to what, and under what controls, is non-negotiable.

Incident response planning before an incident happens. Most small businesses have no written incident response plan. When an attack hits, that absence means critical minutes are spent on decisions that should have been made in advance — who to call, what to isolate, when to notify clients. A plan that exists only in someone’s head is not a plan.

None of these elements are exotic. None require a Fortune 500 budget. What they require is deliberate design, ongoing attention, and the discipline to treat security as a system rather than a product. That is what separates a genuine cybersecurity posture from the appearance of one. Xact IT builds these layered defenses specifically for small and mid-sized businesses — organizations that need rigorous security thinking without the enterprise complexity. You can also explore our managed IT services to see how ongoing support reinforces your security posture at every layer.

How the NIST Cybersecurity Framework Maps to Your Posture

One of the most practical tools for evaluating your cybersecurity posture is the NIST Cybersecurity Framework, which organizes security activities into five core functions: Identify, Protect, Detect, Respond, and Recover. Each maps directly to a layer of genuine protection.

Identify means knowing your assets — every device, every user account, every vendor with access. You cannot protect what you have not inventoried.

Protect covers access controls, training, and the technical safeguards that limit exposure.

Detect is your monitoring capability — not just generating alerts, but ensuring someone reads and acts on them.

Respond is your incident response plan — a documented, tested playbook that guides your team when something goes wrong.

Recover is your ability to restore operations quickly after an incident, using verified, tested backups.

Running your cybersecurity posture against these five functions is a fast, structured way to surface gaps. Most small businesses have reasonable Protect controls but real weaknesses in Detect, Respond, and Recover — precisely the functions that determine whether a ransomware attack becomes a manageable incident or a business-ending event. The M&S case shows that even large organizations fail at Detect and Respond when human processes are not hardened alongside technical ones.

The Hard Questions to Ask Your IT Firm Right Now

If you are a business owner or CEO and you are not certain where your organization stands, these questions are worth putting directly to your IT provider. The answers — or the inability to answer — will tell you a great deal about the true strength of your cybersecurity posture.

• When was the last time our backup system was tested for a full recovery, and what was the documented result?
• What is the process for a helpdesk technician to verify identity before resetting a password or granting access — and has that process ever been tested with a simulated social engineering attempt?
• What happens when a security alert is generated at 11pm on a Friday night?
• Which third-party vendors or contractors have access to our systems, and what controls govern that access?
• Do we have a written incident response plan, and when was it last reviewed?
• What would a ransomware attack look like in our environment, and what is the realistic recovery timeline?

These are not trick questions. A competent IT and security partner answers every one of them with specifics, not generalities. Vague answers — “we have monitoring in place,” “we follow best practices” — are the sound of cybersecurity theater. Specific, documented, tested answers are the sound of a genuine cybersecurity posture.

The Bottom Line

The M&S ransomware attack is not a cautionary tale about an unusual company making unusual mistakes. It is a high-visibility example of a failure pattern that plays out every day at organizations of every size: the assumption that buying security products is the same as being secure. Marks & Spencer had logos on a slide deck. They had vendor contracts. What they appear to have lacked was a cybersecurity posture strong enough to hold when a human being was targeted directly.

The takeaway is not panic — it is precision. Stop asking “do we have cybersecurity?” Start asking “does our cybersecurity posture function as a system of tested, layered controls?” If you cannot answer that with confidence, the gap you are living in is the same gap that cost M&S tens of millions of pounds and weeks of operations.

Closing that gap does not require an enterprise budget. It requires the right partner, deliberate design, and the discipline to treat security as ongoing work rather than a one-time purchase. Start by visiting our IT and security services overview or speaking directly with the team at Xact IT about where your cybersecurity posture stands today. Or, if you would rather talk it through first, Book a Free Cybersecurity Strategy Call — a straight 20-minute conversation with our team, no sales pressure, no obligation.